Bill > SB1421

This bill establishes a new legal framework for data security in Tennessee that provides businesses with an affirmative defense against data breach lawsuits if they maintain a robust cybersecurity program. Specifically, the bill defines key terms like "data breach," "personal information," and "covered entity," and requires businesses to create and maintain a written cybersecurity program with administrative, technical, operational, and physical safeguards. The program must protect sensitive information, continuously evaluate potential security threats, and include employee training with a designated security officer. To qualify for the affirmative defense, businesses must demonstrate that their cybersecurity program reasonably conforms to recognized industry frameworks, such as NIST standards, HIPAA security requirements, or Payment Card Industry standards. Importantly, the bill does not create a private right of action, meaning individuals cannot directly sue under this law, but it provides a legal shield for businesses that can prove they took comprehensive, proactive steps to protect sensitive data. The law will take effect on July 1, 2025, giving businesses time to implement the required cybersecurity measures.

Justice

https://wapp.capitol.tn.gov/apps/Billinfo/default.aspx?BillNumber=SB1421&ga=114